Malware Samples Target Windows OS from Linux Subsystem, New Findings About Cloud-Based Attacks, AUKUS Pact, U.S. Hacking on Behalf of UAE, Master Decryptor for REvil Victims

1. Malware samples target Windows operating systems from its Linux subsystem 

• Security researchers discovered a strain of malware samples developed to compromise the Windows subsystem in Linux and then laterally move to the native Windows enclave. Threat actors created the malware samples using Python code. They run on Debian systems and have a low detection rate for traditional security controls.  
• The malware developers packaged the samples in an Executable and Linkable File (ELF) binary. When the malware opens, it loads and executes a secondary payload, injected into an active Windows process using Windows API calls. 
• While security researchers claim that the malware samples are unique, experts had floated theories about similar malware attack techniques back in 2017.  

Expert Commentary: These malware samples appear to have a limited spread rate, targeting only France and Ecuador for now. Additionally, these malware samples have only been discovered on one publicly routable IP address, suggesting that they may not be as widespread as anticipated. Many security experts theorize that this malware sample is still in its development stages, and the threat actors are testing the malware potency and execution.  

Learn More 

2. Two-thirds of cloud-based attacks are preventable with proper infrastructure configuration 

• A recent study demonstrated that two-thirds of cloud-based security incidents could be prevented if users properly manage the configuration of software applications, databases, and security policies.  
• Properly managed configuration processes that could have prevented cyberattacks within cloud environments include robust system hardening, proactive implementation of security policies, and a robust system patching cadence.  
• The study also suggests that introducing unauthorized tools (shadow-IT) into a corporate environment can increase the probability and impact of a compromise. This is because most shadow-IT tools are not monitored or managed by a centralized IT team.

Expert Commentary: IT teams are composed of human beings. Like anyone, they can forget, get tired, or even lazy. Threat actors exploit these human weaknesses and manifest them into technical flaws such as improperly configured systems. However, an automated desired state configuration solution would allow IT teams to match evolving policies with required infrastructure configurations without thinking about it. This type of automation significantly reduces cyber incidents. 

Learn More 

3. Former U.S. intelligence officers admit to hacking on behalf of a Middle Eastern company 

• Three former U.S. intelligence officers were fined $1.68 million by the U.S. Department of Justice (DOJ) for their involvement in multiple cyber-mercenary operations on behalf of a United Arab Emirate (UAE) based company. The former National Security Agency (NSA) cyber intelligence officers were accused of providing offensive and defensive cyber weapons services to commit clandestine crimes.  
• These cyber weapons were developed using sophisticated spyware technology that requires zero clicks to execute payloads. The sophisticated zero-click exploit was used to illicitly gather credentials for online accounts owned and controlled by U.S.-based organizations. 
• According to the DOJ, the UAE government leveraged the cyberweapons to break into mobile devices owned by people deemed as dissidents, i.e., journalists and activists.  

Expert Commentary: It appears that the U.S. government is charging the accused individuals because they failed to register and attain a license from the State Department’s Directorate of Defense Trade Controls (DDTC), which oversees the flow of defense services in and out of the U.S. While cyber weapons and hackers for hire are becoming a hot commodity in the black market, the U.S. government is focused on tracking the misuse of cybersecurity knowledge and skills against American interests at home and abroad. Like any other lethal weapon, the dangerous cyber tool will now have a special designation within the U.S. government.                                                                                         

Learn More 

4. Australia, the U.K., and the U.S. announce security partnership  

• The United States, United Kingdom, and Australia recently announced a trilateral security and defense accord known as the AUKUS pact. This pact involves sharing emerging technologies, including artificial intelligence, cyber capabilities, quantum computers, and other critical defense industrial bases and supply chains.  
• Throughout the AUKUS pact, the U.S. and U.K. will give Australia the technology it needs to build nuclear-powered submarines to counter China’s influence within and around the contested South China Sea. This is the first time the U.S. will be sharing its submarine technology in about 60 years.  
• With nuclear-powered submarines, sophisticated cyber weapons, and other emerging technologies flowing between the three nations, the Chinese government was not pleased about the announcements. They believe that Australia is simply turning itself into an adversary of China.                                    

Expert Commentary: Australia and China have been undergoing diplomatic friction, which has intensified from trade tariffs to full-on cyberattacks. As a result, Australia has been seeking security offensive and defensive support to fend off China’s influence in both cyberspace and the physical world. This security and defense pact is a significant win for the Australian government as they will now receive closely/guarded U.S. cyber and marine technologies.

Learn More 

5. Past victims of REvil ransomware receive a master decryptor 

• A free master decryptor was released for victims whose systems were encrypted before the REvil ransomware gang. It allows them to recover their files without paying any ransom demands.
• A cybersecurity firm called Bitdefender developed both the decryptor and law enforcement agencies to lessen the financial burden for REvil victims.
• According to Bitdefender, the decryption tool works against all previous REvil and Sodinokibi ransomware infections across the board.

Expert Commentary: Security experts are now familiar with the attack tactics, techniques, and procedures of REvil. As a result, we expect more free decryptors to be developed to help us tackle ransomware. We also expect ransomware actors to use ‘free ransomware decryptors’ as a lure to trick unsuspecting victims into downloading poisoned code that would end up encrypting their systems.

Learn More